THREAT DETECTION: 4 LITTLE CHANGES THAT’LL MAKE A BIG DIFFERENCE

1. More Isn’t Always Better For Threat Detection

The first small fix that can help the threat detection is something that applies to many facets of life: moderation. Often organizations believe that more security “content” means more security. This is true for indicators, rules, signatures, and queries. The reality is that quantity alone can actually have a negative impact on security operations. This is because quantity alone, especially without vetting, can result in huge number of false positives. These false positives burn analysts out, and overwhelm support teams.

2. Build Analyst-focused Documentation

Another small fix that can have a big impact on threat detection is analyst-focused process documentation. Now, to some this may appear to be a “not-so-little” fix. But, in reality, most organizations often see the same detections again and again. So, to build procedural documentation around the top ten is is often easier than it appears. Why is it important though?

3. Context Matters for Threat Detection

Like the point made in #2, this evolutionary fix can have a big impact. When teams are ingesting new indicators, rolling out new rules, or deploying custom queries, context matters. Now, ideally, organizations will build procedural documentation for their analysts. But, when that isn’t possible, the next best thing is context.

4. Validation is Critical to Threat Detection

Organizations often determine how protected they are by the numbers. They look at how many indicators, rules, signatures, and queries they have for a particular threat. The higher the number, the more protected they feel. And this is a perfectly rational line of thought. But it is often fatally flawed. This is because, from our research, most organizations get their detection content from free sources. And as we mentioned before, that the community provides these is a testament to the folks in it. Still, the problem remains that most organizations can’t test that content.

Conclusion

The concept of a “quick fix” can be very alluring. The reality though is almost every significant security impact for organizations doesn’t come from a revolution. Instead, it comes from an evolution. Small steps and changes that can have big impacts, especially with threat detection.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.